CVE-2024-35950 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, and organizations deploying Siemens SIMATIC S7-1500 TM MFP systems with activated GNU/Linux subsystems should prioritize this vulnerability. The local attack vector requires attacker access to the device's interactive shell, making physical or remote shell access controls critical. Organizations in critical infrastructure sectors should apply CISA's defense-in-depth recommendations while awaiting vendor patches.

Technical summary

The vulnerability exists in the Linux kernel's DRM (Direct Rendering Manager) client implementation where display modes are not fully protected by the dev->mode_config.mutex lock. This race condition can be triggered by a local attacker with low privileges, potentially leading to use of uninitialized resources. The attack complexity is rated HIGH due to timing requirements, but successful exploitation yields HIGH impact on confidentiality, integrity, and availability. The flaw is particularly relevant in industrial environments where the Siemens SIMATIC S7-1500 TM MFP's GNU/Linux subsystem provides extended functionality beyond standard PLC operations.

Defensive priority

HIGH

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Build and run applications exclusively from trusted sources
• Monitor for vendor security updates from Siemens
• Apply defense-in-depth strategies for industrial control systems per CISA guidance
• Segment affected systems from untrusted networks where possible

Evidence notes

The vulnerability description indicates a race condition in DRM client mode protection (CWE-908: Use of Uninitialized Resource). CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high attack complexity, requiring low privileges but no user interaction, with high impacts across confidentiality, integrity, and availability.

Official resources